nixbitcoin
81a1c3f908
service hardening: Add CapabilityBoundingSets
...
Whitelist with exceptions in webindex and onion-chef
2020-05-22 11:29:54 +00:00
nixbitcoin
3cd61506e0
webindex & onion-chef: Run non-network-facing services in PrivateNetwork
2020-05-22 11:29:07 +00:00
nixbitcoin
7c70dd43ac
All modules: Give service config precedence over defaultHardening
...
With '//' the latter takes precedence over the former in case of
equally named attributes.
2020-05-22 08:08:27 +00:00
nixbitcoin
b8e10afe18
recurring-donations: Run under recurring-donations user
2020-05-19 11:13:26 +00:00
nixbitcoin
5d01ea7101
nodeinfo: Convert to module and allow alternative operator username
...
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.
so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
2020-05-19 11:13:24 +00:00
nixbitcoin
95d230d1d6
Remove bitcoinrpc group remnants
2020-05-19 11:13:22 +00:00
nixbitcoin
563b210835
spark-wallet: Run under spark-wallet user
2020-05-19 11:13:20 +00:00
nixbitcoin
205fca3576
bitcoind: only make blocksdir group-readable when dataDirReadableByGroup
2020-05-19 11:13:18 +00:00
nixbitcoin
81a04a4ef1
lightning-charge: add dedicated user
2020-05-19 11:13:16 +00:00
nixbitcoin
0ba55757f8
clightning: allow group access to RPC socket
2020-05-19 11:13:12 +00:00
nixbitcoin
304dd297ba
clightning: remove config group read access
2020-05-19 11:13:05 +00:00
nixbitcoin
04c6936ce9
clightning: Remove clightning "bitcoinrpc" membership
...
Secrets are written to clightning config file during preStart with root
permissions because of PermissionsStartOnly.
2020-05-19 11:09:13 +00:00
nixbitcoin
393ab0fb3c
electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes
...
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
2020-05-19 11:08:59 +00:00
nixbitcoin
7cfae66db4
electrs: Drop insecure TLS ciphers
2020-05-19 11:08:52 +00:00
nixbitcoin
4c139a6d77
electrs: Make TLSProxy truly optional
...
If TLSProxy is disabled, bypass nginx by forwarding Tor HS traffic
directly to electrs.
2020-05-19 11:08:48 +00:00
Erik Arvstedt
509fca5328
fix syntax error
...
Fixes #172
2020-05-06 12:13:32 +02:00
nixbitcoin
159f551b93
Remove bitcoin, clightning, electrs, liquid user home directory
2020-04-26 14:08:08 +02:00
nixbitcoin
742aef1e0f
Only set dataDirReadableByGroup if cfg.high-memory is enabled
2020-04-24 16:21:12 +02:00
Erik Arvstedt
4dc6c3ba5d
add option 'dataDirReadableByGroup'
...
These settings are now more accessible for users that don't use
nix-bitcoin's default node config.
Additionally, remove 'other' permissions via umask.
2020-04-16 15:55:34 +02:00
Erik Arvstedt
3e188238d0
only update bitcoin.conf when changed
2020-04-12 22:32:37 +02:00
Erik Arvstedt
08322eed9b
use [[ test
2020-04-12 22:32:37 +02:00
Erik Arvstedt
201fc33782
move line to relevant code section (blocks dir setup)
2020-04-12 22:32:37 +02:00
Erik Arvstedt
1f8fe310d0
remove option 'configFileOption'
...
It doesn't make sense for bitcoind users to completely redefine their
config file. Also, it's poorly named and the description is faulty.
This is a breaking change, but this option has probably no actual users.
2020-04-12 22:32:37 +02:00
Erik Arvstedt
4e5c1d7551
disable redundant logfile
2020-04-12 22:32:37 +02:00
Erik Arvstedt
a05551fd1c
improve config file formatting
2020-04-12 22:32:37 +02:00
Erik Arvstedt
5e81d60d63
improve formatting
2020-04-12 22:32:37 +02:00
Erik Arvstedt
d60a5aa4db
define rpc.users submodule inline
...
Improves readability.
2020-04-12 22:32:37 +02:00
Erik Arvstedt
1a2271fb14
remove unused variable 'hexStr'
2020-04-12 22:32:36 +02:00
Erik Arvstedt
4e92b1c818
remove redundant hardening options
...
These are already defined in nix-bitcoin-services.defaultHardening.
2020-04-12 22:32:36 +02:00
Erik Arvstedt
47fd6cd0f3
simplify ExecStart
2020-04-12 22:32:36 +02:00
Erik Arvstedt
64fc63cc40
remove pidFile
...
- service type "simple" is the default
- pidFile is not needed for service type "simple"
2020-04-12 22:32:36 +02:00
Erik Arvstedt
bceaa361ca
operator: allow reading systemd journal
2020-04-09 11:02:06 +02:00
Erik Arvstedt
145961c2de
fix operator authorized keys setup
...
This fixes these flaws in `copy-root-authorized-keys`:
- When `.vbox-nixops-client-key` is missing, operator's authorized_keys
file is always appended to, growing the file indefinitely.
- Service is always added and not restricted to nixops-vbox deployments.
2020-04-09 11:02:06 +02:00
Erik Arvstedt
37b2faf63c
move systemPackages definitions to services
...
These are generally useful and shouldn't be limited to secure-node.nix.
Also, only add the hardware-wallets group when hardware wallets are enabled.
2020-04-08 17:35:14 +02:00
Erik Arvstedt
6c22e13b7f
copy-root-authorized-keys: use inline script definition
2020-04-08 17:35:14 +02:00
Erik Arvstedt
63c6fe3213
fixup! use '' for multi-line string
2020-04-08 17:35:14 +02:00
Erik Arvstedt
ab617946a9
extract variable 'cfg'
2020-04-08 17:35:13 +02:00
Erik Arvstedt
36c84d8360
add option clightning.onionport
...
Analogous to electrs.onionport
2020-04-08 17:35:13 +02:00
Erik Arvstedt
681dbaf328
move electrs.onionport option
...
Only used in secure-node.nix
2020-04-08 17:35:13 +02:00
Erik Arvstedt
74fbfa3a5d
use lib.optionals
2020-04-08 17:35:13 +02:00
Erik Arvstedt
ec6d33fbb6
rearrange code sections
...
Move services to the top, operator account setup to the bottom.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
e16ddc9c77
extract 'mkHiddenService'
...
toPort equals port by default.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
89d3d58850
use mkIf
2020-04-08 17:35:13 +02:00
Erik Arvstedt
85e52a06cb
improve grouping of suboptions
2020-04-08 17:35:12 +02:00
Erik Arvstedt
1a63f0ca6a
remove option 'services.nix-bitcoin.enable'
...
Users can enable the node config just by importing secure-node.nix
2020-04-08 17:35:12 +02:00
Erik Arvstedt
0f8b2e91fd
add nix-bitcoin.nix for backwards compatibility
2020-04-08 17:35:12 +02:00
Erik Arvstedt
28792f79dc
rename nix-bitcoin.nix -> presets/secure-node.nix
2020-04-08 17:35:12 +02:00
Jonas Nick
9239268ab6
Merge #136 : Change the nix-bitcoin deployment from forking this repo to importing the module
...
b2e15c17b8
docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9
Add fetch-release script (Jonas Nick)
c303cd47e4
Add push-release.sh helper (Jonas Nick)
705d187a35
examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656
docs: Remove duplicate instructions (Jonas Nick)
455c5664c9
docs: Replace tabs with spaces (Jonas Nick)
8aa4714979
docs: Update NixOS version (Jonas Nick)
9df22a2764
add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994
README: Add Example section (Jonas Nick)
44ccbb91d0
Clean up development shell.nix (Jonas Nick)
abcee651d3
add deploy-container.sh (Erik Arvstedt)
5dadea310c
add deploy-nixops.sh (Erik Arvstedt)
0c74c365de
mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef
move main module import to configuration.nix (Erik Arvstedt)
0c0978c007
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498
Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)
Pull request description:
Top commit has no ACKs.
Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
2020-04-08 15:03:08 +00:00
Erik Arvstedt
b07c77f4a4
secrets.nix: remove obsolete comment
2020-03-29 18:51:34 +02:00
Erik Arvstedt
0c0978c007
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir'
2020-03-24 21:43:21 +00:00